[packman] PMBS: Multimedia repo publishing

Stefan Botter jsj at jsj.dyndns.org
Fri Mar 19 12:44:04 CET 2021 

Hi Packmans,

for the past four weeks there has been an publishing problem with the
Multimedia project: Packages have been build successfully on PMBS, but
never made it to the mirrors.

As outlined in a mail on Feb 27th, PMBS' publishing stages build
projects to packman.links2linux.de, where all packages are re-signed
with the official packman GPG key. Once this is done, the packages are
finally published and pushed to the mirrors.
Before the packages are re-signed, the process checks the validity of
the then existing signatures against a list of known keys - these are
then PMBS-project keys, we manually maintain the list of trusted keys on
packman.
The standard GPG key for PMBS expired last July unnoticed. This did not
cause the current problem for Multimedia, but apart from the nuisance of
no further account creation, it exposed the circumstance, that the
Multimedia key was an old key, created before the standard PMBS key
(which is used by the signer to access the project keys).

(I really **really** do not understand, how PMBS was able to sign
packages with the old key since May 2014!)

Multimedia packages built on PMBS could be signed again only after I
replaced the Multimedia project signing key on Feb 24th.
This in turn broke the verification on packman.links2linux.de, so
Multimedia packages arriving there are not re-signed and hence not
published to the mirrors.
As I do not have access to the re-signing part on packman, I cannot
simply update/trust the new project key. Marc is offline ATM, and cannot
help me right now, so I will try to replace Multimedia's key with
another already trusted key in our publishing chain.

This will likely break something, as I am try-and-erroring.
For that I have stopped the schedulers for all architectures apart
aarch64. Once all packages there have been built, I will stop the
dispatcher, make a snapshot of the VM, replace the Multimedia key and
start everything up again.


I am looking forward to resolve the publishing issue with this.
I will send another mail, when I implemented the change.


Greetings,

Stefan
-- 
Stefan Botter zu Hause
Bremen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20210319/6299c501/attachment.sig>

More information about the Packman mailing list